On Thursday, May 19, 2023, the Federal Trade Commission (FTC) issued a notice of proposed rulemaking and a request for public comment on proposed changes to the Health Breach Notification Rule (HBNR or, the Rule) that would update and clarify the Rule's scope and amend the definition of what activity is covered by the Rule. The HBNR requires companies accessing personal health information to notify users and the government when that data is breached and allows regulators to levy fines against bad actors.
The most significant proposed change is to clarify that a security breach includes any unauthorized acquisition of identifiable health information that occurs as a result of a disclosure. Currently, the language of the Rule can be interpreted to apply only to malevolent breaches. Essentially the HBNR would cover instances of a "privacy breach" – an improper disclosure without the individual's understanding, knowledge, and consent.
Since the Rule was finalized in 2009, there has been a proliferation of health apps offered to consumers. Companies track everything from diabetes to fertility, and heart health to sleep – collecting more and more sensitive health data from consumers. Many of these apps are free to consumers, with the company's revenue coming from the repackaging of the data and offering it for marketing and other purposes beyond what users may know or agree to. The companies and the data are not covered by the Health Information Portability Accountability Act (HIPAA) unless they are serving as a "business associate" to the covered entities (generally health providers and health insurers).
Many app users assume their information is protected and kept confidential. Further, there is concern that sensitive health information is being shared in ways not contemplated by users. As a result, regulators in the Biden administration and some states have increasingly cracked down on data sharing. The Biden administration has been particularly concerned with health apps that contain reproductive health information and the ways in which state enforcement agencies intend to obtain and utilize such data.
The concerns with user privacy are not new. The FTC issued a policy statement in September 2021 affirming that health apps and connected devices that collect or use consumer's health information must comply with the HBNR and suggesting they would begin reading "breach" as not just a nefarious intrusion, but any unauthorized sharing of data.
Applying that interpretation of the Rule, just this year the FTC has undertaken two enforcement actions of alleged HBNR violations.
- February: the FTC announced it had taken action against GoodRx for failing to notify users of the company's unauthorized disclosure of users' personally identifiable health information to third parties.
- May: the FTC announced an enforcement action and consent decree, including a $100,000 fine against the developer of the fertility app Premom for allegedly disclosing user health data to third parties and deceiving users about its data sharing practices.
The fine amounts, in addition to settlements that do not require companies to admit wrongdoing, suggest the FTC may not be confident of its ability to enforce its 2001 interpretation of the HBNR in court, according to experts.
That could change with the new proposed changes. "The proposed amendments to the rule will allow it to keep up with marketplace trends, and respond to developments and changes in technology," Samuel Levine, the director of the FTC's Bureau of Consumer Protection, said in the statement.
The public has 60 days after the notice is published in the Federal Register to comment on the proposed changes. Instructions for submitting public comments are found in the Notice of Proposed Rulemaking, on page two.
